simplify setup

Author: buixor

crowdsec-docs/docs/appsec/quickstart/nginxopenresty.mdx

@@ -3,257 +3,121 @@ id: nginxopenresty
 title: QuickStart - Nginx / OpenResty
 ---
 
-
 import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
-import CodeBlock from '@theme/CodeBlock';
-import UnderlineTooltip from '@site/src/components/underline-tooltip';
-
-# CrowdSec WAF QuickStart for Nginx/OpenResty
-
-## Objectives
-
-The goal of this quickstart is to set up the [AppSec Component](/appsec/intro.md#introduction) to safeguard web applications running on [Nginx](https://nginx.com) or [OpenResty](https://openresty.org/en/).
-
-We'll deploy a [set of rules](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) designed to block [well-known attacks](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-generic-rules) and [currently exploited vulnerabilities](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching).
-
-Additionally, we'll show how to monitor these alerts through the [Console](https://app.crowdsec.net/).
-
-## Prerequisites
-
-1. If you're new to the [AppSec Component](/appsec/intro.md#introduction) or **W**eb **A**pplication **F**irewalls, start with the [Introduction](/appsec/intro.md#introduction) for a better understanding.
-
-2. It's assumed that you have already installed:
-   - **CrowdSec [Security Engine](/intro.mdx)**: for installation, refer to the [QuickStart guide](/u/getting_started/installation/linux). The AppSec Component, which analyzes HTTP requests, is included within the security engine as a [Acquisition](/log_processor/data_sources/appsec.md).
-   - One of the supported web servers for this guide:
-        - Nginx **[Remediation Component](/u/bouncers/intro)**: installation instructions are available in the [QuickStart guide](/u/bouncers/nginx).
-        - OpenResty **[Remediation Component](/u/bouncers/intro)**: installation instructions are available in the [QuickStart guide](/u/bouncers/openresty).
-
-    This component intercepts HTTP requests at the webserver or reverse-proxy level and forwards them to the AppSec Component for analysis and action.
-
-:::info
-The reason we provide Nginx and OpenResty in a single guide is that OpenResty is a web server based on Nginx just the configuration paths are different
-:::
-
-:::tip Already did the base setup?
-If you already completed the [General Setup](general.mdx) (collections + acquisition), skip to [Remediation Component Setup](#remediation-component-setup).
-:::
-
-## AppSec Component Setup
-
-### Collection installation
-
-To begin setting up the AppSec Component, the initial step is to install a relevant set of rules.
-
-We will utilize the [`crowdsecurity/appsec-virtual-patching`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) collection, which offers a wide range of rules aimed at identifying and preventing the exploitation of known vulnerabilities.
-
-This <UnderlineTooltip tooltip="Collections are bundle of parsers, scenarios, postoverflows that form a coherent package.">collection</UnderlineTooltip> is regularly updated to include protection against newly discovered vulnerabilities. Upon installation, it receives automatic daily updates to ensure your protection is always current.
-We also install the [`crowdsecurity/appsec-generic-rules`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-generic-rules) collection. This collection contains detection scenarios for generic attack vectors. It provides protection in cases where specific scenarios for vulnerabilities do not exist yet.
-
-On the machine where the Security Engine is installed, just execute the following command:
-
-:::info
-You can always view the content of a [collection on the Hub](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching).
-:::
-
-```
-sudo cscli collections install crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
-```
-
-Executing this command will install the following items:
-
-- The [*AppSec Rules*](/appsec/rules_syntax.md) contain the definition of malicious requests to be matched and stopped
-- The [*AppSec Configuration*](/appsec/configuration.md#appsec-configuration-files) links together a set of rules to provide a coherent set
-- The <UnderlineTooltip tooltip="YAML files that extract relevant data from logs, such as IP addresses, timestamps, or request paths.">CrowdSec Parser</UnderlineTooltip> and <UnderlineTooltip tooltip="Behavioral rules written in a domain-specific language that define what malicious activity looks like, such as multiple failed logins in a short time.">CrowdSec Scenario(s)</UnderlineTooltip> bans for a longer duration repeating offenders
-
-### Setup the Acquisition
-
-Having installed the required components, it's time to configure the CrowdSec acquisition datasource for the AppSec Component ([AppSec datasource](/log_processor/data_sources/appsec.md)). This configuration allows Nginx/OpenResty to forward requests to the AppSec Component for evaluation and decision-making.
-
-Steps:
-
-1. Create the acquisition directory (if it doesn't exist on your machine):
-   ```bash
-   sudo mkdir -p /etc/crowdsec/acquis.d/
-   ```
-
-2. Create `/etc/crowdsec/acquis.d/appsec.yaml`:
-   ```yaml title="/etc/crowdsec/acquis.d/appsec.yaml"
-   appsec_configs:
-     - crowdsecurity/appsec-default
-   labels:
-     type: appsec
-   listen_addr: 127.0.0.1:7422
-   source: appsec
-   ```
-
-The two important directives in this configuration file are:
 
- - `appsec_configs` is the list of [*AppSec Configurations*](/appsec/configuration.md#appsec-configuration-files) that was included in the <UnderlineTooltip tooltip="Collections are bundle of parsers, scenarios, postoverflows that form a coherent package.">Collection</UnderlineTooltip> we just installed.
- - the `listen_addr` is the IP and port the AppSec Component will listen to.
+# CrowdSec WAF QuickStart for Nginx / OpenResty
 
-:::warning
-We do not recommend exposing the AppSec Component to the internet. It should only be accessible from the web server or reverse proxy.
-::: 
+Protect an [Nginx](https://nginx.com) or [OpenResty](https://openresty.org/en/) server with CrowdSec's [AppSec (WAF) Component](/appsec/intro.md#introduction). After the prerequisites below, every step is a single copy-paste command — pick your engine once in the tabs and the page will remember the choice.
 
 :::info
-You can find more about the [supported options for the acquisition here](/log_processor/data_sources/appsec.md)
+Nginx and OpenResty share a single guide because OpenResty is Nginx with Lua built in — only the bouncer package and a few paths differ.
 :::
 
-You can now restart CrowdSec:
-
-```bash
-sudo systemctl restart crowdsec
-```
+## Prerequisites
 
-#### Testing the AppSec Component
+Make sure the following are already done on the machine running your web server (all are single-page install guides):
 
-##### Verify the AppSec Component is listening
+1. **CrowdSec Security Engine** installed and running — see the [Linux quickstart](/u/getting_started/installation/linux).
+2. **Nginx or OpenResty bouncer** installed and registered against the CrowdSec LAPI:
+    - Nginx: [`crowdsec-nginx-bouncer`](/u/bouncers/nginx#installation)
+    - OpenResty: [`crowdsec-openresty-bouncer`](/u/bouncers/openresty#installation)
 
-To verify that the AppSec Component is running correctly, we can first check that the port `7422` is open and listening:
+    Only follow the **Installation** section of those pages — the "Enable AppSec" section is exactly what this quickstart covers, come back here for it.
+3. Nginx or OpenResty is currently serving traffic on port 80 (used by the verification step at the end).
 
-:::note
-If you have changed the port in the configuration file, replace `7422` with the new port number.
+:::info Pick your engine
+The tabs below remember your choice across the whole page.
 :::
 
-<Tabs
-  defaultValue="netstat"
-  groupId="listening-ports"
-  values={[
-    {label: 'Netstat', value: 'netstat'},
-    {label: 'SS', value: 'ss'},
-  ]}>
-  
-  <TabItem value="netstat">
-    <CodeBlock className="language-bash">sudo netstat -tlpn | grep 7422</CodeBlock>
-  </TabItem>
-
-  <TabItem value="ss">
-    <CodeBlock className="language-bash">sudo ss -tlpn | grep 7422</CodeBlock>
-  </TabItem>
+<Tabs groupId="engine" defaultValue="nginx" values={[
+  {label: 'Nginx', value: 'nginx'},
+  {label: 'OpenResty', value: 'openresty'},
+]}>
+  <TabItem value="nginx">Commands below will target Nginx.</TabItem>
+  <TabItem value="openresty">Commands below will target OpenResty.</TabItem>
 </Tabs>
 
-<details>
+## 1. Install the AppSec rule collections
 
-<summary>Output example</summary>
+Same command for both engines:
 
 ```bash
-tcp        0      0 127.0.0.1:7422            0.0.0.0:*               LISTEN      12345/crowdsec
+sudo cscli collections install \
+    crowdsecurity/appsec-virtual-patching \
+    crowdsecurity/appsec-generic-rules
 ```
 
-:::note
-The output may look different depending on the command you used. As long as you see port 7422 and the `crowdsec` process, the AppSec Component is running.
-:::
+This pulls the [`appsec-virtual-patching`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) collection (rules for known CVEs, auto-updated daily) and the [`appsec-generic-rules`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-generic-rules) collection (common attack patterns), plus the default AppSec configuration.
 
-</details>
+## 2. Turn on the AppSec Component
 
-##### (Optional) Manually testing the AppSec Component with `curl`
-
-<details>
-  <summary>Expand for short guide</summary>
-
-Before we proceed with configuring the Remediation Component, let's verify that all our current setups are functioning correctly.
-
-1. Create a Remediation Component (Bouncer) API Key:
-
-```bash
-sudo cscli bouncers add test_waf -k this_is_a_bad_password
-API key for 'test_waf':
-
-   this_is_a_bad_password
-
-Please keep this key since you will not be able to retrieve it!
-```
-
-2. Emit a legitimate request to the AppSec Component:
-
-```bash
-curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /test' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
-```
-
-Which will give us an answer such as:
+Create the acquisition file, then restart CrowdSec:
 
 ```bash
-HTTP/1.1 200 OK
-Date: Tue, 30 Jan 2024 15:43:50 GMT
-Content-Length: 36
-Content-Type: text/plain; charset=utf-8
-
-{"action":"allow","http_status":200}
+sudo mkdir -p /etc/crowdsec/acquis.d
+sudo tee /etc/crowdsec/acquis.d/appsec.yaml > /dev/null <<'EOF'
+appsec_configs:
+  - crowdsecurity/appsec-default
+labels:
+  type: appsec
+listen_addr: 127.0.0.1:7422
+source: appsec
+EOF
+sudo systemctl restart crowdsec
 ```
 
-3. Emit a malevolent request to the Appsec Component:
-
-:::info
-We're trying to access a `.env` file, a [common way to retrieve credentials left by mistake](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access).
+:::warning
+Keep `listen_addr` on `127.0.0.1` — the AppSec Component must not be reachable from the internet. It should only be queried by your local web server / reverse proxy.
 :::
 
-```bash
-curl -X POST localhost:7422/ -i -H 'x-crowdsec-appsec-uri: /.env' -H 'x-crowdsec-appsec-ip: 192.168.1.1' -H 'x-crowdsec-appsec-host: foobar.com' -H 'x-crowdsec-appsec-verb: POST' -H 'x-crowdsec-appsec-api-key: this_is_a_bad_password'
-
-```
+## 3. Point the bouncer at the AppSec Component
 
-Our request is detected and blocked by the AppSec Component:
+<Tabs groupId="engine" defaultValue="nginx" values={[
+  {label: 'Nginx', value: 'nginx'},
+  {label: 'OpenResty', value: 'openresty'},
+]}>
+  <TabItem value="nginx">
 
 ```bash
-HTTP/1.1 403 Forbidden
-Date: Tue, 30 Jan 2024 15:57:08 GMT
-Content-Length: 34
-Content-Type: text/plain; charset=utf-8
-
-{"action":"ban","http_status":403}
+sudo sed -i 's|^APPSEC_URL=.*|APPSEC_URL=http://127.0.0.1:7422|' \
+    /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
+sudo systemctl restart nginx
 ```
 
-Let's now delete our test API Key:
+  </TabItem>
+  <TabItem value="openresty">
 
 ```bash
-sudo cscli bouncers delete test_waf
+sudo sed -i 's|^APPSEC_URL=.*|APPSEC_URL=http://127.0.0.1:7422|' \
+    /etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf
+sudo systemctl restart openresty
 ```
 
-</details>
-
-## Remediation Component Setup
+  </TabItem>
+</Tabs>
 
-Since our AppSec Component is active and listening, we can now configure the Remediation Component to forward requests to it.
+The default bouncer config already contains an empty `APPSEC_URL=` line, so `sed -i` replaces it in place — the command is idempotent and safe to re-run.
 
-To setup forwarding of requests in the remediation component, we'll modify its configuration file and append the following line:
+## 4. Verify
 
-- `Nginx`: `/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf`
-- `OpenResty`: `/etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf`
+Send a request that should trip an AppSec rule:
 
 ```bash
-APPSEC_URL=http://127.0.0.1:7422
+curl -I http://localhost/.env
+# expect: HTTP/1.1 403 Forbidden
 ```
 
-This instructs the remediation component to communicate with the AppSec Component at `http://127.0.0.1:7422`.
-
-Once configured, all incoming HTTP requests will be sent there for analysis. The snippet above assumes that the AppSec Component is running on the same machine.
+We're hitting a `.env` file, a [common way to retrieve credentials left by mistake](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access) — the AppSec Component detects and blocks it.
 
-We can now restart the service:
+Check that CrowdSec recorded the block:
 
 ```bash
-sudo systemctl restart nginx
+sudo cscli metrics show appsec
 ```
 
-## Testing the AppSec Component + Remediation Component
-
-:::note
-We're assuming the web server is installed on the same machine and is listening on port 80. Please adjust your testing accordingly if this is not the case.
-You can also look at the [General WAF Testing](/docs/appsec/quickstart/general.mdx#testing-waf-component)
-:::
-
-
-
-if you try to access `http://localhost/.env` from a browser, your request will be blocked, resulting in the display of the following HTML page:
-
-![appsec-denied](/img/appsec_denied.png)
-
-We can also look at the metrics from `cscli metrics show appsec` it will display:
- - the number of requests processed by the AppSec Component
- - Individual rule matches
-
- <details>
-  <summary>Example Output</summary>
+<details>
+<summary>Example metrics output</summary>
 
 ```bash title="sudo cscli metrics show appsec"
 Appsec Metrics:
@@ -273,31 +137,28 @@ Appsec '127.0.0.1:7422/' Rules Metrics:
 
 </details>
 
-### Explanation
+<details>
+<summary>What just happened?</summary>
 
-What happened in the test that we just did is:
+1. `curl` hit your web server at `/.env`.
+2. The bouncer forwarded the request to the AppSec Component on `127.0.0.1:7422`.
+3. The request matched the [`vpatch-env-access`](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access) rule.
+4. The AppSec Component answered `403`, the bouncer enforced it, and the web server returned the CrowdSec ban page.
 
- 1. We did a request (`localhost/.env`) to our local webserver
- 2. Thanks to the Remediation Component configuration, forwarded the request to `http://127.0.0.1:7422`
- 3. Our AppSec Component, listening on `http://127.0.0.1:7422` analyzed the request
- 4. The request matches the [AppSec rule to detect .env access](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access)
- 5. The AppSec Component thus answered with [HTTP 403](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403) to the Remediation Component, indicating that the request must be blocked
- 6. The web server then presented us with the default "request blocked" page.
+</details>
 
-## Integration with the Console
+If you'd rather see the block in a browser, visit `http://<your-host>/.env` — you'll get the CrowdSec ban page:
 
-If you haven't yet, follow the guide about [how to enroll your Security Engine in the Console](/u/getting_started/post_installation/console).
+![appsec-denied](/img/appsec_denied.png)
 
-Once done, all your alerts, including the ones generated by the AppSec Component, appear in the Console:
+## Monitor in the Console
 
-![appsec-console](/img/appsec_console.png)
+If you haven't enrolled the Security Engine yet, follow [how to enroll in the Console](/u/getting_started/post_installation/console). Once enrolled, AppSec alerts show up alongside the rest of your alerts:
 
+![appsec-console](/img/appsec_console.png)
 
 ## Next steps
 
-You are now running the AppSec Component on your CrowdSec Security Engine.
-
-As the next steps, you can:
-- Monitor WAF alerts with `sudo cscli alerts list` and in the [CrowdSec Console](https://app.crowdsec.net).
+- Monitor WAF alerts with `sudo cscli alerts list` or in the [CrowdSec Console](https://app.crowdsec.net).
 - Review the [AppSec troubleshooting guide](/appsec/troubleshooting.md) if you need to investigate or refine the deployment.
 - Explore [WAF deployment strategies](/appsec/advanced_deployments.mdx), [rules syntax](/appsec/rules_syntax.md), [rule creation](/appsec/create_rules.md), and [benchmarks](/appsec/benchmark.md) to go further.